BlackBerry: We're Here To Kick Ass And Sell Out Users To Law Enforcement. And We're (Almost) All Out Of Users.

from the thank-you,-sir!-may-I-get-you-another?-and-another? dept

Back in mid-April, it was discovered that Canadian law enforcement (along with Dutch authorities) had the ability to intercept and decrypt BlackBerry messages. This level of access suggested the company had turned over its encryption key to the Royal Canadian Mounted Police. BlackBerry has only one encryption key for most customers -- which it maintains control of. Enterprise users, however, can set their own key, which cuts BlackBerry out of the loop completely.

BlackBerry CEO John Chen -- despite publicly criticizing Apple for locking law enforcement out of its phone with default encryption -- refused to provide specifics on this apparent breach of his customers' trust. Instead, he offered a non-denial denial, stating that BlackBerry stood by its "lawful access principles."

A specialized unit inside mobile firm BlackBerry has for years enthusiastically helped intercept user data — including BBM messages — to help in hundreds of police investigations in dozens of countries, a CBC News investigation reveals.

This unit, which cracks open BlackBerries for nearly anyone who comes asking, is very proud of its work.

One document obtained by CBC News reveals how the Waterloo, Ont.-based company handles requests for information and co-operates with foreign law enforcement and government agencies, in stark contrast with many other tech companies.

"We were helping law enforcement kick ass," said one of a number of sources who told CBC News that the company is swamped by requests that come directly from police in dozens of countries.

Go team! While these sources remain generally upbeat about throwing customer privacy and security to the wind, the official word from the company is less enthused. In fact, it's nonexistent.

In response to questions from CBC News, a BlackBerry spokesperson said it "will not address the questions given the extremely sensitive nature of this process."

This unadvertised service is apparently so popular BlackBerry has streamlined the process. It offers government agencies a list of boxes to check for what kind of information they'd like retrieved from a phone (including the ominously vague "other"), as well as the option to declare any request "exigent."

It also asks that the requesting party sign off on some boilerplate saying the request is legal in the requester's country and that it is not being done to "control, suppress or punish… political or religious opinion."

Of course, BlackBerry is not a government agency so it really can't do anything if someone "perjures" themselves by signing the form and moving directly towards suppression, punishment, etc. The best it can do is not allow that entity to make any more requests. I'm guessing this almost never happens because the quoted sources seem like a bunch of overly-cheery do-gooders. Policing the police would require BlackBerry to second-guess the government entities it seemingly can't wait to assist.

"Narco trafficking, human trafficking, money laundering, kidnapping, crime against children, knowing you are stopping those things … how do you not love doing something like that?" said the insider.

Yup. [Insert whatever the Canadian equivalent of "'Murica!" here.]

In its hurry to help supposed good guys track down alleged bad guys, the Canadian branch of BlackBerry's "full give" operations is skirting around statutes meant to protect locals from inappropriate demands made by foreign countries.

Christopher Parsons, a research associate at the University of Toronto's Citizen Lab, who has studied the privacy practices of tech companies, is worried by the secrecy of BlackBerry's process and its potential for abuse.

[...]

He said BlackBerry is allowing foreign police to bypass the Mutual Legal Assistance Treaty, a diplomatic agreement that allows Canadian officials to review requests from foreign police and consider whether they are legal under Canadian law.

But, as Parsons points out, law enforcement agencies are probably thrilled to have someone on the inside willing to violate treaties with the drop of pre-printed form. Adhering to MLAT may result in significant delays, whereas approaching BlackBerry directly sets its team of super-secret gofers in motion immediately.

Of course, the major downside here is that very few criminals are likely still using BlackBerries. Most of the company's customers are enterprise users and they have the ability to lock down their phones so tight not even BlackBerry can get into them. But for all the panicked talk about going dark, BlackBerry's special ops unit says it's still surprised at how many criminals are unaware the company is basically the local PD at this point.

The nails were already in the coffin for BlackBerry. Each new exposure of its highly-proactive law enforcement assistance is only going to hasten the dwindling of its user base.

Reader Comments

Blackberry will now learn what it means to it's bottom line to ignore user privacy. It long ago drank the koolaid, the coming drop in purchasing will reflect the brand name is a 'has been' as so many other services and products before it has traveled this path.

I assure you, I will never own a Blackberry given the response here in this article.

I've heard a lot about corporations moving out over taxes and it keeps popping up in the back of my mind that taxes might just be the excuse for leaving. After all, if you're given a NSL, you can't talk about it but you can take action and lay claim to other reasons as the cause to move.

Blackberry will never learn

Blackberry will now learn what it means to it's bottom line to ignore user privacy.

Blackberry will never learn. They will ride this horse all the way into bankruptcy. Then, when the company is history, they will blame some other factor for their own demise. This is all so predictable right now, so that fact that they have not learned at this point means they will never learn.

I wonder if the original success of Blackberry was related to its relationships with governments?

Re:

"Blackberry will now learn what it means to it's bottom line to ignore user privacy"

Nah, they won't learn a thing. If that was a learnable lesson for them, they would have learned it back when they were RIM after they got caught assisting oppressive governments in their efforts to spy on political dissidents and were unapologetic about it.

It was shortly after that when they lost their dominant market position.

Re:

Blackberry is complying with police warrants only. Not sure how you think that they are selling you out personally unless you are committing crimes. Plus this is mostly in relation to old Blackberrys that used the Blackberry network. New Blackberrys don't use this network. The major phone carriers all give your information out to law enforcement with a warrant, why should Blackberry be any different.

Re: "Not even BlackBerry"

It's a fact that enterprise customers set their own key. If you knew anything about encryption or read the documentation you would know this. You can verify it no problem it is documented in technical documentation, proving it. Go read instead of accusing them of fictional things.

Re: Re: "Not even BlackBerry"

It's a fact that enterprise customers set their own key. If you knew anything about encryption or read the documentation you would know this. You can verify it no problem it is documented in technical documentation, proving it. Go read instead of accusing them of fictional things.

I haven't made any accusation, except that documentation doesn't prove anything. How are users to verify that the software they're running operates as documented? Even if BB really believe it does, how do users verify BB implemented it properly, without bugs?

Some software has recently been moving to reproducible builds, which can provide strong evidence that the binary code and source code match (but doesn't rule out bugs or backdoors disguised as bugs, or bad design). BB, by contrast, might be making detailed technical claims, but I haven't seen anything that would "prove" it. Please link to such proof if you have it.

Re: Re: Re: "Not even BlackBerry"

Go read up on encryption. You don't have a clue what you are talking about. Even if Blackberry put in a back door to the system, which they didn't, they could not decrypt the data because they did not create the key. Arguing continually about this makes you look ridiculous because this is a fact you have to live with. You can doubt it all you want but you would be 100% wrong. Ignoring the facts doesn't help anything.

Re: Re: Re: Re: &quot;Not even BlackBerry&quot;

Go read up on encryption. … Even if Blackberry put in a back door to the system, which they didn't, they could not decrypt the data because they did not create the key.

That's not how cryptography works. The "creator" of the key has no special access—everyone who knows the key has the same access. So we need to verify that no component of the system leaks the key(s), either the "master" keys or any session keys—cf. Heartbleed, Crypto AG, Dual EC DBRG, side-channel attacks.

Security and cryptography are hard, as has been demonstrated repeatedly. Even software written and peer-reviewed by brilliant people has been broken, whether there were intentional backdoors or not.

Re: Re: Re: "security"

Please explain how they have viewed users as adversaries, that is a pretty ridiculous statement. Blackberry devices are the most secure on the planet of course they are more locked down than Apple's. There is kernel level security from QNX and their devices have never been rooted. Apple has only given out enough information to help developers. Plus how is being locked down a bad thing?

Re: Re: Re: Re: "security"

Blackberry devices are the most secure on the planet

When there is Blackbery in the middle, giving your messages to the police on demand, there is no security. A secure messaging system ensure that only the sender, and intended can read the messages, and decide who to pass the contents onto.

Re: Re: Re: Re: "security"

"Blackberry devices are the most secure on the planet of course they are more locked down than Apple's."

This is simply untrue. If it's possible to Blackberry to give information about user communications or the data on the devices, then not only aren't their devices the most locked down, you can't even argue that they're locked down at all.

Re: Re: Re: Re: Re: &quot;security&quot;

If it's possible to Blackberry to give information about user communications or the data on the devices, then not only aren't their devices the most locked down, you can't even argue that they're locked down at all.

The term "locked down", as normally used (and distinct from just "locked"), generally refers to features that prevent the owner and/or user from fully controlling the device. It does not imply that the entity with control (BlackBerry in this case) is prevented from doing anything.

People sometimes confuse this with security. Those marketing locked-down devices encourage such confusion.

Re: "security"

If you are not a criminal, police will not be trying to access your data. Otherwise BB is secure as anything. Enterprise Blackberrys are not accessible by anyone but the enterprise, Blackberry cannot access the data no matter what.

Everyone should have known this from India's demands

If you recall, India demanded the keys to Blackberry's kingdom a few years ago. Blackberry initially said they couldn't help. Then it was announced that Blackberry and India came to some agreement though they wouldn't say what it was. I knew then that Blackberry did have a way to cooperate with government requests and were in fact doing it.

Re: Everyone should have known this from India's demands

Once they decided this I said there was no future for Black Berry and its all down hill from there.

The only question is the date on when they shutter. It's coming and we all will see it.

Sure they could save themselves, but that might be a risk they are not willing to take because they have to get out of bed with those corrupt regimens to do it. A lot of folk kill their lovers when they leave the bed and I am certain that if they left India that might happen.

Re: Everyone should have known this from India's demands

India and Pakistan wanted full access to public and enterprise blackberries. Blackberry refused to give the enterprise backdoor so the compromised on the public data. That was the secret agreement you refer to, that isn't really secret.

Dear Government...

Re: Dear Government...

Government is one of Blackberrys biggest customers already. Not sure what your spoof is supposed to mean. Most of what this article is referring to is old old news that was related to old blackberrys from 5 years ago and not the next generation blackberry devices.

Re: Re: Dear Government...

The relevancy to current devices is corporate attitude. Blackberry's stance is clear and assertive enough that it's pretty safe to assume their behavior is no different with any of their devices or services.

Blackberry is for the Leaders of the World

Laundering

"Hundreds of police investigations in dozens of countries", and yet it isn't being routinely revealed in court? While BlackBerry may be falling all over itself to destroy people's financial privacy (so-called money laundering) it seems to have no problem whatsoever aiding and abetting evidence laundering in the furtherance of fraud on the courts.

Re:

Very biased article

This article seems to want to accuse Blackberry for just randomly accessing everyone's information anytime. The fact is agency applying to have data extracted or collected also had to provide a legal warrant along with the request. You fail to mention this small fact that a real warrant from a real judge in a real court is required. Plus in most cases this is all for old Blackberry phones that used the blackberry network. Not current Blackberry devices which no longer use the Blackberry network, except for BBM messages. In fact they are only doing what is legally required. No one's privacy is being exposed anymore than anyone else that has a police warrant due to an investigation into their activities. So is it ok that the phone carriers also help law enforcement get calls, messages, texts and other similar information and that the phone carriers also have departments to do this? Why should smartphone data be private yet they can access all this other information. The fact is the police have every legal right to access this information. Refusing to help the police should be illegal. For all the people who think their privacy is violated, have you committed any crimes? If you have not committed crimes I am not clear how you can be worried about anything. If you have committed crimes and document them on your smartphone, to bad for you.

Re: Very biased article

Legal warrants? Apparently not.

Not all countries have trustworthy judges. There are plenty of totalitarian governments, and plenty of democracies with corrupt judges.

Which is why U.S. law prohibits the likes of Apple, Facebook, and Google from intercepting communications on behalf of foreign agencies. And it's why Canada is party to the Mutual Legal Assistance Treaty, a diplomatic agreement that allows Canadian officials to review requests from foreign police and consider whether they are legal under Canadian law.

BlackBerry is allowing foreign police to bypass the process, with BlackBerry being the one that makes that decision, as opposed to the Canadian government.

> For all the people who think their privacy is violated, have you committed any crimes? If you have not committed crimes I am not clear how you can be worried about anything.

Seriously....? SERIOUSLY?

"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - Cardinal Richelieu

There's have been plenty of people scooped up, disappeared and tortured by the US government - "the leader of the free world" - on the vaguest of evidence, later let go with an "er, never mind." Or in simple criminal law, cases where people were jailed purely through confirmation bias. The more details you have about someone, the more you can build a picture of guilt where none exists. A phone hands over a mountain of details.

Re: Very biased article

The warrant requirement means very little.

Since the warrants they require are from the courts of the nation the user is in, the requirement is of little meaning. Warrants only mean that the action is legal in the given nation. They do not mean that the action is proper or ethical.

"If you have not committed crimes I am not clear how you can be worried about anything."

Ahh, I see now. You believe that governments are virtuous and that if you aren't breaking the law then you have nothing to fear. I doubt if anything I could say would disabuse you of this fallacy, but there are lots of longstanding examples of how wrong this is.

Re: Very biased article

I like how your pseudonym is a reference to Thailand, where the military has taken over the government and is very, very keen on using its lese majeste laws to hold suspected dissidents in permanent detention based on cursory accusations of possibly being disrespectful to the king. You don't need to commit crimes to be worried; it's easy for the law, military or government to decide that you might have violated something and throw the book at you for it.

Shall we have a look at your phone? If you have not committed crimes I am not clear how you can be worried about anything.

You /sure/ about that?

BlackBerry has only one encryption key for most customers -- which it maintains control of. Enterprise users, however, can set their own key, which cuts BlackBerry out of the loop completely.

...

Most of the company's customers are enterprise users and they have the ability to lock down their phones so tight not even BlackBerry can get into them.

Given how eager they are to give access to other products of theirs I wouldn't put too much faith in the security of the enterprise version. I mean come now, they set up an entire department for the sole purpose of speeding up access to devices they sell to anyone with a badge and the five minutes it takes to fill out the form. This is clearly not a company that values the privacy of their customers in the slightest.

While it's possible that the enterprise version of their products is indeed truly secure, and doesn't have any backdoors that can be exploited whenever someone comes knocking at BB's door, given their other actions I certainly wouldn't trust it to be that way, and no-one who actually cares about security should trust them either.

Re: You /sure/ about that?

You are just making stuff up. They are eager to help law enforcement with investigations, not give away your data. This article fails to mention a POLICE WARRANT is required for all requests and they will not be fulfilled with out the legal court document.

You are obviously not an expert on Blackberry so you are totally wrong about the enterprise Blackberry environments. If you were to actually go read about the technology you would actually discover that if an encryption key is set by the customer, nobody can crack it. Nobody. Doesn't matter if there was a back door, they couldn't encrypt the data. Being you don't understand how encryption works, I am not clear why you are even continuing to argue your claims. All you really want to do is trash Blackberry.

Re: Re: You /sure/ about that?

A warrant you say, well then clearly there's no problems at all, since those would never be issued without seriously solid evidence of criminals activity backing them up. /s

Sorry, but I've been around too long to be impressed by warrants or assume that just because one's been handed out that that means there's any real indicator of illegal activity(tea leaves and gardening supplies anyone?). There's also the teeny tiny little problem that it looks like they're accepting warrants from different countries and accepting them at face value without checking whether or not they're valid in the country the search is taking place in. A warrant in the UK for example does not necessarily meet the requirements of a warrant in Canada, but BB is treating it as just as valid, which is just a bit of a no-no.

You are obviously not an expert on Blackberry so you are totally wrong about the enterprise Blackberry environments.

Yup, you got me, the only reason I know or care about the company at all is because articles keep coming out about their practices, statements and screw ups. I didn't go to 'Blackberry 101' classes or get a doctorate in Blackberry, so clearly any statements or ideas I may toss out regarding them can be safely dismissed.

Speaking of expertise however, what's yours? Given your strident defense of them, some more laughable than others('If you have not committed crimes I am not clear how you can be worried about anything.', really?), I can't help but wonder if you're connected to them in some way, so by all means explain what makes you qualified to make the statements on them that you have been.

If you were to actually go read about the technology you would actually discover that if an encryption key is set by the customer, nobody can crack it. Nobody. Doesn't matter if there was a back door, they couldn't encrypt the data.

Yeah, that's kind of the entire point of a back-door, it completely bypasses the regular security. As such if one did exist then it wouldn't matter how strong the customer-side encryption was, because that security would never even come into play.

Re: Water-Based Locations

How is something that happened in the 70's where people broke into a hotel and committed a crime related to this? Plus this was probably taking place in their Ottawa offices, not in Waterloo. Plus nothing illegal happened here at all. There have been a few other far more important scandals between this and watergate. This isn't even a scandal or crime at all.

Re:

They pretty much don't anymore. The security problems aside, Blackberry seems to be incapable of creating a phone that is actually desirable anymore.

Corporations and governments are basically the only entities willing to put up with them anymore, and that's basically because of the Enterprise BBM security stuff that isn't available to ordinary consumers.